The Add Code To Head plug‑in fails to escape or otherwise neutralize input that is subsequently rendered in the page header, resulting in a stored cross‑site scripting vulnerability (CWE‑79). An attacker is able to inject arbitrary JavaScript that will then execute in the browsers of any visitor who views a page that includes the malicious content. The impact is that attackers can hijack sessions, deface content, or perform other malicious actions in the context of site visitors.

WordPress installations that use salubrio’s Add Code To Head plugin version 1.17 or earlier. Any site where the plugin is active and accepts user‑supplied code to be placed in the head section of pages is affected. The vulnerability has no version restriction beyond the stated ceiling.

The CVSS score of 5.9 denotes moderate severity, and the EPSS score of less than 1% indicates a low likelihood of exploitation in the near term. The flaw is not listed in the CISA KEV catalog, which reduces the expectation of widespread active exploitation. Attackers would need access to the plugin’s administrative interface or a user who has permission to add code to the header, so the attack vector is inferred to be via this internal interface. Once injected, the malicious code runs automatically for all site visitors, making remediation a priority for any site that allows such input.